Hi
There is no "cookie" on the server side per se. The cookie is a small text file
on the browser machine that contains a session id value which maps to a .NET
session object on the server side.
The clean way of implementing a logout is to remove/expire the cookie from the
browser and also invalidate the session object on the server side. In such a
case, even if a malicious user does manage to get a cookie with a session id
before its overwritten, the corresponding session object on the server side
would have already been destroyed. Also, it wont hurt to have a strict but
realistic session timeout value, after which the server will automatically
destroy the idle session.
I'm not too familiar with .NET but the corresponding equivalent of session
invalidation in J2EE is session.invalidate()
HTH
Steven Rebello
-----Original Message-----
From: spawn security [mailto:spawn.security@gmail.com]
Sent: Tue 16/08/2005 6:08 PM
To: webappsec@securityfocus.com
Cc:
Subject: Cookie not expiring...
I'm testing an application and after clicking on the logout button
the session management cookie does not expire. More specifically, the
application is using the FormsAuthentication class signout method to
"logout" an authenticated user.
Private Sub cmdSignOut_ServerClick(ByVal sender As System.Object,
ByVal e As System.EventArgs) _
Handles cmdSignOut.ServerClick
FormsAuthentication.SignOut()
Session.Abandon()
Response.Redirect("login.aspx", True)
End Sub
According to Microsoft documentation, this
FormsAuthentication.SignOut method works by returning a Set-Cookie
header to the browser that sets the cookie's value to a null string
and sets the cookie's expiration date to a date in the past. This is
only expiring the cookie on the client/browser side. Which will allow
a "malicious" user, who had access to the cookie, to reuse it after
user logs out.
Does anyone know how to force the cookie to expire on the server side
?
Thanks.
MASTEK
"Making a valuable difference"
Mastek in NASSCOM's 'India Top 20' Software Service Exporters List.
In the US, we're called MAJESCO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Opinions expressed in this e-mail are those of the individual and not that of
Mastek Limited, unless specifically indicated to that effect. Mastek Limited
does not accept any responsibility or liability for it. This e-mail and
attachments (if any) transmitted with it are confidential and/or privileged and
solely for the use of the intended person or entity to which it is addressed.
Any review, re-transmission, dissemination or other use of or taking of any
action in reliance upon this information by persons or entities other than the
intended recipient is prohibited. This e-mail and its attachments have been
scanned for the presence of computer viruses. It is the responsibility of the
recipient to run the virus check on e-mails and attachments before opening
them. If you have received this e-mail in error, kindly delete this e-mail from
all computers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
